SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Open Motif Vendors:   Open Group, The
Open Motif Buffer Overflows in diag_issue_diagnostic() and open_source_file() May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015303
SecurityTracker URL:  http://securitytracker.com/id/1015303
CVE Reference:   CVE-2005-3964   (Links to External Site)
Updated:  Apr 4 2006
Original Entry Date:  Dec 2 2005
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network

Version(s): 2.2.3
Description:   A vulnerability was reported in Open Motif in the libUil library. A user may be able to execute arbitrary code.

The diag_issue_diagnostic() function in 'Clients/uil/UilDiags.c' contains a buffer overflow. A user may be able to supply specially crafted data to an application that uses the affected function to trigger the overflow and potentially execute arbitrary code.

The specific impact depends on the application using the library function.

The open_source_file() function in 'Clients/uil/UilSrcSrc.c' is also affected.

Xfocus reported this vulnerability.

Impact:   A may be able to execute arbitrary code on the target system. The specific impact depends on the application using the library function.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.motifzone.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 4 2006 (Red Hat Issues Fix) Open Motif Buffer Overflows in diag_issue_diagnostic() and open_source_file() May Let Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, and 4.



 Source Message Contents

Subject:  [Full-disclosure] [xfocus-SD-051202]openMotif libUil Multiple

Title:  [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability

Affected version : openmotif 2.2.3(not got 2.2.4,so not test in
openmotif 2.2.4)
Product: http://www.motifzone.net/

xfocus (http://www.xfocus.org) have discovered multiple vulnerability in
openmotif libUil library. details following:

1: libUil.so diag_issue_diagnostic buffer overflow

Clients/uil/UilDiags.c
diag_issue_diagnostic()
    202 void    diag_issue_diagnostic
    203             ( int d_message_number, src_source_record_type
*az_src_rec,
    204               int l_start_column, ...)
    205
    206 {
    207     va_list     ap;                     /* ptr to variable
length parameter */
    208     int         severity;               /* severity of message */
    209     int         message_number;         /* message number */
    210     char        msg_buffer[132];        /* buffer to construct
message */
    211     char        ptr_buffer[buf_size];   /* buffer to construct
pointer */
    212     char        loc_buffer[132];        /* buffer to construct
location */
    213     char        src_buffer[buf_size];   /* buffer to hold source
line */
......
    293     va_start(ap, l_start_column);
    294
    295 #ifndef NO_MESSAGE_CATALOG
    296[1.1]     vsprintf( msg_buffer,
    297               catgets(uil_catd, UIL_SET1, msg_cat_table[
message_number ],
    298                       diag_rz_msg_table[ message_number ].ac_text),
    299              ap );
    300 #else
    301[1.2]     vsprintf( msg_buffer,
    302               diag_rz_msg_table[ message_number ].ac_text,
    303               ap );

    304 #endif
    305     va_end(ap);

[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support
data,so if one local or remote application which used this library may
cause execute arbitrary code .

2: libUil.so open_source_file buffer voerflow

Clients/uil/UilSrcSrc.c

    620 status
    621 open_source_file( XmConst char           *c_file_name,
    622                   uil_fcb_type           *az_fcb,
    623                   src_source_buffer_type *az_source_buffer )
    624 {
    625
    626     static unsigned short       main_dir_len = 0;
    627     boolean                     main_file;
    628     int                         i;  /* loop index through
include files */
    629     char                        buffer[256];
    630
    631
    632     /* place the file name in the expanded_name buffer */
    633
    634[2.1]   strcpy(buffer, c_file_name);
    635
    636 /*    Determine if this is the main file or an include file.  */
    637
    638     main_file = (main_fcb == NULL);
    639
[2.1] like above

--EOF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC